In an absolutely shocking turn of events, the United States Department of Justice has moved on from Tornado Cash to the next privacy tool in the cryptocurrency space on their list – an incredible Bitcoin wallet called "Samourai Wallet." While the war on privacy in the space is nothing new, the US government has been escalating their attacks more rapidly than anyone foresaw.

Taking the blueprint from their indictment of the Tornado Cash founders, the DOJ is now indicting the two founders of Samourai Wallet, charging them each with one count of conspiracy to commit money laundering (20y maximum sentence) and one count of conspiracy to operate an unlicensed money transmitting business (5y maximum sentence). Thankfully this is only an indictment, and both founders are technically considered innocent until proven guilty, and we at Freedom.Tech and Foundation will be doing our best to raise public awareness on this issue and fight for our right to privacy.

To better understand how incredibly illogical this prosecution is, we have to first explain briefly how Samourai Wallet worked.

How Samourai Wallet worked

Samourai Wallet, unlike many of the other Bitcoin mixers previously prosecuted by the DoJ, had one vital difference – they never took custody of users funds. Samourai Wallet was an entirely self-custodial wallet, requiring users to save their seed phrase and passphrase in order to restore funds. While it did provide privacy features like Whirlpool and Ricochet as mentioned in the indictment, at its core it was a self-custodial Bitcoin wallet.

For the average user of Samourai Wallet the default mode of operation for Samourai Wallet was for the users wallet to send their "xpub" (a master public key allowing derivation of new addresses but not spend funds) to a Samourai Wallet back-end server in order to sync their balance and get new addresses. While this architecture has some privacy disadvantages, it does make the sync process trivial even for those with very poor internet connections, and allowed Samourai to run a simplified architecture as well.

There were, however, ways to prevent sending this data to Samourai, either by running your own back-end server (called a "Dojo") or using an alternative wallet to interact with Samourai's privacy tools, called Sparrow Wallet. The core privacy tool that was used in Samourai Wallet was known as "Whirlpool," and allowed users to gain forward-looking privacy and disconnect their previous transaction history from future activity.

What a Whirlpool transaction looked like on-chain.

There are two vital things to understand about Whirlpool and how it functions:

  1. Samourai Wallet never has custody of funds nor say in where funds are sent.
    1. Each user retains full custody of funds, and their wallets will only sign transactions that ensure their funds are sent back to them in the Whirlpool round.
  2. Samourai Wallet merely helps each of the 5 users communicate their intent and talk to each other, making it easier to find other people trying to gain privacy for UTXOs of the same size.

Ricochet, the other tool mentioned in the indictment, simply allowed users to put distance on-chain between them and a previous transaction, giving more plausible deniability to their activity.

How Ricochet functions.

What's also vital to understand when it comes to Ricochet is that Samourai Wallet never has custody of funds or any say in where funds are sent. Samourai Wallet merely accepted Bitcoin transactions you signed via the Samourai Wallet app and sent to them to broadcast to the Bitcoin network at random intervals. As you alone held your private keys that signed these transactions, they could not be altered in any way by the Samourai Wallet server.

Before the case against Tornado Cash, the technical function of Samourai as a self-custodial wallet would traditionally be enough to absolve them of any responsibility to register as a money transmission business or perform onerous KYC/AML regulations on their users, as they are never materially involved in the execution of transactions. For a deeper dive on these two issues, you can read our previous piece on the Tornado Cash indictment as they have a similar technical functionality and face the exact same two charges:

Tornado Cash indictment shows desperation
The rapidly expanding legal aggression against privacy tools for cryptocurrencies like Bitcoin and Ethereum is beginning to show clear signs of desperation by the U.S government.

Actionable next steps

While all of this is a bit political and philosophical, I wanted to leave you with actionable next steps, especially if you were already a user of Samourai Wallet or Sparrow Wallet. I'll break down below what you should be aware of and what you should do in each of the main ways people used Samourai Wallet.

As a privacy advocate

While it may seem too simple, the first and most important way that we can all take up the fight for privacy is to keep talking about this case and its implications. The moment we are silent and let the DoJ prosecute Samourai Wallet in the dark, we have lost. We each have a platform that we can leverage to get the word out there, push back on the DoJ's narrative, and explain to people how vital privacy is and how much the government wants to prevent easy access to it.

You have a unique platform, use it! Share this post, talk about this case on your favorite social media platform, or simply explain this case to your friends and family.

As a Samourai Wallet user (no Dojo)

Unfortunately, the architecture of Samourai Wallet meant that your xpub (a master public key, allowing anyone holding it to derive all your past/present/future Bitcoin addresses) was at some point in time held by Samourai, and could now possibly be in the hands of the DoJ.

Though it's a worst-case scenario, you should assume that your xpub was compromised, and thus all previous mixes you have done have been unwound and are now traceable. You should also assume that the government can now derive all past/present/future addresses of yours and track movement of funds if so desired.

In addition, Samourai's coordinator and backend sync server was seized, meaning that Samourai Wallet's app will no longer sync, show received funds, or allow sending funds out. As such, you have to migrate funds to another wallet like @SparrowWallet using our tutorial here:

Migrating from Samourai Wallet into Sparrow Wallet
Learn how to migrate from Samourai Wallet to Sparrow wallet in just a few minutes.

In addition, I would recommend migrating funds to a new seed phrase to prevent anyone holding the xpub from seeing all future received/spent funds.

You should also disable automatic updates in the Play Store or F-Droid (if used) to ensure no malicious updates are pushed.

As a Samourai Wallet user (using your own Dojo)

Thankfully, you avoided having your xpub potentially compromised. The worst case scenario for you is that your previous mixes may not have the full anonymity set you expected if non-Dojo users xpubs were compromised.

You will still be able to sync/send/receive from your Samourai Wallet app, but should also migrate funds to another wallet as no further updates will come out for Samourai Wallet. To migrate to Sparrow Wallet, you can use our tutorial here:

Migrating from Samourai Wallet into Sparrow Wallet
Learn how to migrate from Samourai Wallet to Sparrow wallet in just a few minutes.

You should, however, disable automatic updates in the Play Store or F-Droid (if used) to ensure no malicious updates are pushed.

As a Sparrow Wallet user

Thankfully, you avoided having your xpub potentially compromised as well. The worst case scenario for you is that your previous mixes may not have the full anonymity set you expected if non-Dojo/Sparrow users xpubs were compromised.

There is no real need to rotate to a new wallet as Sparrow remains an excellent option. Unfortunately you will no longer be able to mix and gain privacy in Sparrow as the Samourai coordinator was seized.

Next steps for privacy

If you (like me) relied on Samourai Wallet for privacy on Bitcoin, it is sadly time to look elsewhere. As of today I have two recommendations:

Use Monero for spending, keep using Bitcoin for savings

Yes, this isn't Bitcoin, but its by far the most used and most practical privacy coin out there with strong (and growing) ways to swap in/out of it without a centralized, KYC exchange. My recommendation is buying enough to cover your normal spending of Bitcoin for a month at least, and spend out of that lump sum as needed.

As the tools for privacy on cryptocurrencies like Bitcoin and Ethereum are being shut down daily, the importance and value of Monero's consensus-level, decentralized approach to privacy only grows. There has never been a more vital time to learn about it and consider using it.

Learn more:

getmonero.org

Where to get Monero:

LocalMonero, a peer-to-peer exchange

Bisq Network, a decentralized peer-to-peer exchange

Trocador.App, an instant exchange aggregator

Cake Wallet, a Bitcoin and Monero wallet with in-app exchange

Wallets:

Feather Wallet, a fantastic Monero desktop wallet

Cake Wallet, a Bitcoin and Monero wallet

Monerujo Wallet, a fantastic Monero wallet for Android

Merchants that accept Monero:

monerica.com/

cryptwerk.com/pay-with/xmr/

Use JoinMarket

JoinMarket is a decentralized Coinjoin protocol that brings together peers to mix funds together, gaining strong privacy without relying on a central coordinator, without giving fees to a central entity, etc.

The best way to get started today is using the new UI built around JoinMarket, @jamapporg:

Jam
Improve the financial privacy of yourself and others.

Conclusion

This has been an incredibly sad day in the history of Bitcoin, and in the history of freedom tech, but not all hope is lost. We can each play a role in fighting back and acting in public, civil protest against the prosecution of open-source developers running non-custodial privacy tools. We're also hard at work at Foundation to organize Bitcoiners, Bitcoin companies, and privacy advocates behind the defense of the Samourai Wallet team, including exploring a defense fund if necessary. Keep an eye out for updates there!

Thank you for taking the time to read through this today, and I hope it helps you know what's going on and where to turn next.

Onwards.

Join the Conversation

If this post has sparked an idea or motivated you to get involved, there is no better next step then to join the conversation here at freedom.tech! Subscribers can jump straight into the comments below, or you can join our community SimpleX group:

Join the Conversation
If you’ve been inspired by content here on freedom.tech and want to connect with like-minded individuals, we’ve created a couple of group chats to do just that. We’ve intentionally chosen privacy-preserving chat platforms for this purpose, so we’ve settled on Signal and SimpleX as the home for our c…

If you have feedback for this post, have something you'd like to write about on freedom.tech, or simply want to get in touch, you can find all of our contact info here:

Contact Us
We want Freedom.Tech to be more than just a one-way conversation, so we’d love to hear from you all! We’ve setup several ways to get in touch, all of which allow you to preserve your privacy. Have thoughts to add about a blog post? Want to tip us off
Share this post